In many computer systems, there is often a restricted class of users (e.g., root users) that have read and write access (e.g., root access) to the computer systems. These users are often the overall administrators of the computer systems. As such, these users often have a large number of responsibilities that prevent them from being able to efficiently perform everyday tasks (e.g., managing databases, websites, adding new users, etc.) on the machines of the computer systems. Somehow, these users must delegate their system access to other users.
Unfortunately, in these computer systems, access is limited to either all or nothing. In other words, a root user may delegate complete and total access to a non-root user or none at all. As a result, even if a root user wants to enable a non-root user only to be able to add users or administer a database on a single machine in the computer system, the non-root user will have total access to the computer system and be able to do most anything on the computer system. Clearly, this presents a significant problem with regard to computer system security.
One possible solution has been to limit the delegation of total access to non-root users to a discrete period of time. This solution enables the non-root user to perform an assigned task during the discrete period of time. Unfortunately, this solution is not satisfactory since the non-root user will still have complete computer system access, jeopardizing computer system security, for the discrete period of time.
The Hewlett Packard Company does provide a product called Systems Administration Manager (“SAM”) that provides a “restricted” SAM access functionality (see U.S. Pat. Ser. No. 5,579,478). Likewise, there is a public domain UNIX tool called “sudo” which provides an ability to run commands as root on a per command basis. However, unlike the present invention, these tools are focused on a single system, do not allow access control across multiple systems (e.g., nodes), do not provide role-based tool delegation, and do not allow the degree of control that the present invention does, among other disadvantages.
Consequently, a system and method of enabling non-root users to perform specific tasks without jeopardizing computer system security is needed. A system and method for restricting non-root users' root access to delineated tasks preferably on specific machines or groups of machines is needed. A system and method of allocating tools that may be executed by non-root users for specific purposes based on user roles is needed.